Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 352

All 352 CVE vulnerabilities found in Mattermost, with AI-generated Chinese analysis, references, and POCs.

Vendor: Mattermost

CVE IDTitleCVSSSeverityPublished
CVE-2025-62190 CSRF Allows Call Initiation and Message Delivery CWE-352 4.3 Medium2025-12-17
CVE-2025-13870 Unauthorized access and subscription vulnerability in Boards CWE-306 3.1 Low2025-12-02
CVE-2025-12756 Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion CWE-863 4.3 Medium2025-12-01
CVE-2025-12421 Account Takeover via Code Exchange Endpoint CWE-303 9.9 Critical2025-11-27
CVE-2025-12559 Information Disclosure in Common Teams API CWE-200 4.3 Medium2025-11-27
CVE-2025-12419 Account takeover on OAuth/OpenID-enabled servers CWE-303 9.9 Critical2025-11-27
CVE-2025-55074 Channel member objects leak read status CWE-1426 3.0 Low2025-11-18
CVE-2025-11794 Password hash and MFA secret returned in user email verification endpoint CWE-200 4.9 Medium2025-11-14
CVE-2025-55073 MS Teams plugin OAuth allows editing arbitrary posts CWE-306 5.4 Medium2025-11-14
CVE-2025-55070 Lack of MFA enforcement in WebSocket connections CWE-306 6.5 Medium2025-11-14
CVE-2025-41436 Unauthorized access to archived channel content via threads interface CWE-863 3.1 Low2025-11-14
CVE-2025-11776 Guest user can discover archived public channels CWE-863 4.3 Medium2025-11-14
CVE-2025-59480 Inadequate validation of SSO redirect credentials permits credential theft CWE-352 6.1 Medium2025-11-13
CVE-2025-11777 Cross-team channel membership access CWE-863 3.1 Low2025-11-13
CVE-2025-55035 Mattermost Desktop DoS when user has basic authentication server configured CWE-754 6.1 Medium2025-10-16
CVE-2025-58073 Arbitrary Mattermost Team can be joined by manipulating the OAuth state CWE-862 8.1 High2025-10-16
CVE-2025-41410 Slack import bypasses email verification for team access controls CWE-862 5.4 Medium2025-10-16
CVE-2025-10545 Guest user can add unauthorized team users to private channels CWE-863 3.1 Low2025-10-16
CVE-2025-58075 Arbitrary Mattermost Team can be joined by manipulating the SAML RelayState CWE-862 8.1 High2025-10-16
CVE-2025-54499 Insecure string comparison enables timing attacks CWE-208 3.1 Low2025-10-16
CVE-2025-41443 Guest user can discover active public channels CWE-862 4.3 Medium2025-10-16
CVE-2025-58084 Mattermost Desktop App crashes when clicking on malformed external URL CWE-1287 3.5 Low2025-10-13
CVE-2025-9081 IDOR in board file download allows any user to download any file by UUID CWE-639 3.1 Low2025-09-19
CVE-2025-9079 Admin RCE via prepackaged plugins by way of misconfigured imports directory CWE-22 8.0 High2025-09-19
CVE-2025-9072 One-Click Mattermost Account Takeover via Poisoned RelayState SAML Parameter CWE-601 7.6 High2025-09-15
CVE-2025-9084 Open redirect in OAuth login CWE-601 3.1 Low2025-09-15
CVE-2025-9078 Weak cache keys lead to post IDOR and link preview poisoning CWE-328 4.3 Medium2025-09-15
CVE-2025-9076 Mattermost Server exposes sensitive user credentials during shared channel membership synchronization CWE-862 6.5 Medium2025-09-15
CVE-2025-6465 Path traversal in image upload with preview overwrite CWE-22 4.3 Medium2025-08-21
CVE-2025-8402 Nil pointer dereference in bulk import crashes server CWE-1287 4.9 Medium2025-08-21

All 352 known CVE vulnerabilities affecting Mattermost with full Chinese analysis, references, and POCs where available.